36
EMV for Merchants and Merchant Acquirers: U.S. Migration Considerations Smart Card Alliance Webinar October 6, 2011

EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Embed Size (px)

Citation preview

Page 1: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

EMV for Merchants and Merchant Acquirers: U.S. Migration Considerations

  Smart Card Alliance Webinar   October 6, 2011

Page 2: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Introductions •  Randy Vanderhoof •  Executive Director -- Smart Card Alliance

2

Page 3: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Who We Are

Smart Card Alliance mission To stimulate the understanding, adoption, use and widespread application of smart card technology through educational programs, market analysis, advocacy, and industry relations . . . .

Over 190 members, including participants from financial, retail, government, corporate, and transit industries and technology providers to those users

Major activities   Industry and Technology Councils

 Payments Council   Healthcare Council   Identity Council   Physical Access Council   Transportation Council

 Conferences, symposia, web seminars and educational workshops  Web-based resources and email newsletters

3

Page 4: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Smart Card Alliance Payments Council

Payments Council   Mission: Education facilitating the adoption of

chip-enabled payments in the U.S.

  Membership: 62 member organizations

  2011 focus: EMV and NFC

 Council resources: “Card Payments Roadmap in the United States” white paper; EMV FAQ; EMV Resources; Smart.Payments LinkedIn Group

 Outreach to industry groups

•  Standards: GlobalPlatform, ISO/ANSI •  Payment: ETA, NACHA •  Security: EMVCo, FSTC •  Mobile: NFC Forum, GSMA •  Merchant: NRF, MAG

4

Page 5: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Today’s Speakers

  Randy Vanderhoof, Executive Director, Smart Card Alliance

  Oliver Manahan, Vice President, MasterCard Worldwide & Payments Council Co-Chair

  Guy Berg, Global Industry Consultant, Datacard Group

  Simon Hurry, Senior Business Leader, Visa Inc. & Payments Council Co-Chair

  Amer Matar, Chief Technology Officer, Moneris Solutions

5

Page 6: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Webinar Topics

 Global EMV deployment and results

 Business drivers for U.S. migration to EMV and key choices in EMV implementation

 EMV 101: How do EMV payment processes differ from magnetic stripe transactions; what are issuer EMV options and their implications for card acceptance; what are key considerations for EMV implementation

 Overview of Visa U.S. migration approach and next steps for merchants and acquirers

 Acquirer and merchant lessons learned from Canadian EMV migration

6

Page 7: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Global EMV Deployment   Oliver Manahan   Vice President, MasterCard Worldwide

7

Page 8: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Global EMV Deployment

8

Page 9: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Business Drivers

• Current equipment: •  Chip capable, or requires new POS?

• Chip brings more data •  Modifications to internal systems and potentially

network • Training, testing, etc. • Reduction in fraud – hence reduction in request for copy / chargebacks

• Opportunity to optimize processes • Improvement in check-out speed

9

Page 10: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Key Choices

• Contact chip only, or contact and contactless •  Contactless also supports newer payment options, e.g.,

Mobile/NFC • Support for online only, or offline as well

•  Offline requires brand public keys within the device, and maintenance of those keys

• Support of cardholder verification •  Online PIN, Offline PIN, Signature, No CVM…

10

Page 11: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

 Smart Card Alliance  191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828  www.smartcardalliance.org

Oliver Manahan [email protected]

11

Page 12: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

EMV in 10 Minutes   Guy Berg   Global Industry Consultant, Datacard Group

12

Page 13: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

EMV Transaction Framework

Online Dynamic

Cryptogram

Issuer Auth System

Acquirer System

Payment Brand

ARPC

Online Dynamic Cryptogram

ARPC

Online Dynamic Cryptogram

(1) EMV chip application performs

risk assessment

(2) Terminal performs risk assessment

Add EMV Field 55 data

(3) New EMV authentication data

(4) Issuer Authorization Changes  Dynamic cryptogram validation  May return an authentication cryptogram  Post issuance updates

Online Dynamic Cryptogram

13

Page 14: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Operating System Level

 MULTOS  Global Platform JavaCard  Card Vendor 1 Proprietary  Card Vendor 2 Proprietary  Card Vendor 3 Proprietary  Etc....

EMV Card Basics

EMV Application Level  Visa

 payWave Contactless EMV  VSDC Contact EMV

 MasterCard  M/Chip (EMV) PayPass  M/Chip Contact EMV

 American Express  Discover

Data Level

Personalization Data •  Risk management criteria •  Cardholder data •  Security keys and certificates

Card Perspective

 Card vendors have different chip operating systems

 Brands have different chip application implementations

 Brands have different EMV risk configuration options

14

Page 15: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Terminal Perspective

Terminal Operating System

EMV Kernel EMV terminal functions that EMVCo tests against the

EMV standards and certifies

Visa EMV terminal processing functions

MC EMV terminal processing functions

AMEX EMV terminal processing functions

Discover EMV terminal processing functions

Others EMV terminal processing functions

Each Brand has different terminal certification requirements

15

Page 16: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

EMV Risk Management and Security

Card Stock Security

Online Transaction

Security

Offline Transaction

Security

Issuance Security

Data Preparation &

Key Mgmt Security

Risk Management Decision Criteria

PIN

16

Page 17: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Online EMV Authentication (Dynamic Cryptogram)

ARPC

Issuer Auth System

Acquirer System

Payment Brand

ARPC

Online Dynamic Cryptogram

EMV data

EMV Field 55

data

ARPC

Online Cryptogram

ARQC

Online Dynamic Cryptogram (3DES) – ARQC

For Contact and Contactless

Online Response Cryptogram (3DES) – ARPC

For Contact Chip EMV

HSM

17

Page 18: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Combined Online and Offline Authentication

ARPC

Issuer Auth System

Acquirer System

Payment Brand

ARPC

EMV transaction data EMV

transaction data

ARPC

Online Dynamic Cryptogram

Online Dynamic Cryptogram

SDA, DDA, CDA

Offline Authentication

Online Dynamic Cryptogram (3DES) - ARQC

18

Page 19: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

 Smart Card Alliance  191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828  www.smartcardalliance.org

Guy Berg [email protected] 651-354-6808

19

Page 20: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

EMV in the USA – Acceptance channel  Simon Hurry  Senior Business Leader, Visa Inc.

20

Page 21: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Agenda

•  Layered approach to security

•  Visa’s US chip acceleration and mobile adoption announcement

•  Network impacts

•  EMV support considerations

•  Summary

21

Page 22: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

It will take time to reach critical mass for chip deployment. A layered approach is advised to minimize risk.

Layered Approach to Security

Authentication

Elimination & Encryption

PCI DSS Compliance PCI DSS

Compliance

Elimination & Encryption

Authentication

Today Tomorrow

Static Mag Stripe

Dynamic Cryptogram Devalue transaction data by moving to online

dynamic authentication, globally • Eliminate vulnerable data where possible • Maintain effective security where vulnerable data remains

Bridge solutions to optimize existing technologies while laying groundwork for future payment methods

Expand contact chip to all markets to lay commercial framework for contactless/mobile acceptance

Implement policies in U.S.A. to accelerate chip adoption

22

Page 23: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

* Visa Europe announced a corresponding program

–  PCI validation relief for merchants that adopt dual-interface terminals

2012

– Guide PCI encryption & token standards

–  Continue to enforce PCI & PIN compliance

2011 2015

U.S

. G

loba

l

– Global cross-border counterfeit liability shift (ex-U.S.) at POS

2012 2011

–  PCI validation relief for merchants that adopt contact chip terminals

–  Require acquirer processor support for chip processing

2013

TIP*

Tech Innovation Program (TIP)

–  Debit and credit domestic and cross-border counterfeit liability shifts at all POS excluding AFDs

2017

–  Expanded Liability Shifts to include Automated Fuel Dispensers (AFDs)

Acquirer Chip Processing

Liability Shift Liability Shift

Cross-Border Liability Shift

Guide & Enforce Security Standards

Further incent deployment of chip cards and chip terminals via a

liability shift policy

Promote early adoption of

dual-interface chip terminals

Visa Public

Visa Card Present Authentication Roadmap

23

Page 24: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Contact Chip Reader

Smart (Chip) Terminal Basics

Terminals, can be contact and/or contactless, but should be dual interface.

 Contact – Ideal for use with secure higher ticket payments, where speed of transaction is not as paramount; support of issuers in offline or international markets (including the USA). http://www.emvco.com/approvals.aspx

 Contactless /Mobile – Ideal for use in secure lower ticket payments, where speed of transaction is paramount. Foundation for acceptance of mobile payments

Contactless/Mobile Chip Reader

24

Page 25: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Contact Chip Card

Dual Interface Card

Mobile

Chip data sent from Acquirer

Host to VisaNet in Field 55

Foundation for Dynamic Authentication across Multiple Form Factors

•  Underlying EMV standards and data are consistent across contact chip and Visa payWave

•  Effective April 1, 2013, U.S. acquirer processors and sub-processor service providers are required to support merchant acceptance of chip transactions

Dual Interface Chip Reader (supporting both contact chip and Visa payWave in

addition to mag-stripe)

Chip Data Chip Data

25

Page 26: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Implementation Considerations

•  POS Software Development

•  Functional & Technical specifications

•  Evaluate POS Brand / EMV approval requirements

•  Order terminals

•  Determine POS physical set-up & infrastructure costs

•  Determine test tools and testing requirements

•  Assess host system updates for merchant/acquirer

• Field 55 (mandatory for CHIP data)

• Track #2 data (mandatory)

•  Implement payment software modifications to test system

Design & Build Phase

•  Integration Lab/Unit Testing of devices (mandated)

•  End-to-End Testing completed

• acquirer host testing

• Brand testing

•  Test production store with production card

Testing Phase

•  Define Business Requirements

•  Merchant Engagement

•  Determine support for contact/contactless/both

•  Submit RFP to POS vendors –

•  Document POS Config & Acquirer Interfaces

Initiation & Planning Acceptance Phase

•  Plan terminal deployment

• Devices and set-up

• Training & Signage

•  Soft Merchant Launch

• Audit and modify as needed

•  Full Production Launch

Lead-time considerations

RECOMMENDATION: Ensure merchant / acquirer terminal, software and processing changes are fully tested prior to implementation .

26

Page 27: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Summary

 Moving to an EMV-based POS environment and set of procedures –  Uses same infrastructure for contactless and contact chip –  Provides a path to reduce on-going PCI DSS compliance costs

 Chip offers increased data security and reduces the incidence of counterfeit fraud

 Contactless chip provides foundation for mobile payment  Rewards merchants that invest in dual interface terminals  Supports strengthening the existing payment methods and builds a

framework for future innovation

27

Page 28: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

 Smart Card Alliance  191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828  www.smartcardalliance.org

Simon Hurry [email protected]

28

Page 29: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

 Amer Matar  Chief Technology Officer, Moneris Solutions

Lessons Learned in Canadian Migration

29

Page 30: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Before You Start

 Industry wide change  Issuers  Consumers  Merchants  Acquirer / Processors  Brands

 Understanding the goal

 Working together Company Logo

30

Page 31: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Things to Keep in Mind

 Understand the challenge  Technology change  Business change  Behavioral change

 Do it once

 Inter-Brand harmonization

  EMVCo vs Brands

31

Page 32: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Where and How Do You Start

 Research

 Learn

 Engage Brands

 Industry Experience

 Commitment

32

Page 33: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Implementation Considerations

 Roles and responsibilities

 Pilot or not?

 80-20 rule

 Industry specific verticals

 Acquirers

33

Page 34: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

 Smart Card Alliance  191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828  www.smartcardalliance.org

Amer Matar [email protected]

34

Page 35: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Q&A Session

35

Page 36: EMV for Merchants and Merchant Acquirers: U.S. Migration ...d3nrwezfchbhhm.cloudfront.net/webinars/20111006_EMV_Merchant... · Each Brand has different terminal certification requirements

Smart Card Alliance 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 www.smartcardalliance.org

Speaker Contact Information

  Randy Vanderhoof, [email protected]

  Oliver Manahan, [email protected]

  Guy Berg, [email protected]

  Simon Hurry, [email protected]

  Amer Matar, [email protected]

36